Remove middlewares
Middlewares, while kinda cool from an academic standpoint, make our
build times even worse than they already are. Given that we only really
use 1 real middleware today (token auth) and it needs to move into the
parser mode anyway (for security limiting buffer sizes), we might as well
use this as an opportunity to delete some code.
Some other things that happen:
1. Persistent data now moves out of the crow namespace
2. App is no longer a template
3. All request_routes implementations no longer become templates. This
should be a decent (unmeasured) win on compile times.
This commit was part of a commit previously called "various cleanups".
This separates ONLY the middleware deletion part of that.
Note, this also deletes about 400 lines of hard to understand code.
Change-Id: I4c19e25491a153a2aa2e4ef46fc797bcb5b3581a
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/include/authorization.hpp b/include/authorization.hpp
index c00090b..1fd1b12 100644
--- a/include/authorization.hpp
+++ b/include/authorization.hpp
@@ -11,7 +11,6 @@
#include <boost/container/flat_set.hpp>
#include <http_utility.hpp>
#include <pam_authenticate.hpp>
-#include <persistent_data_middleware.hpp>
#include <random>
@@ -29,13 +28,13 @@
// user session?
if (req.session != nullptr &&
req.session->persistence ==
- crow::persistent_data::PersistenceType::SINGLE_REQUEST)
+ persistent_data::PersistenceType::SINGLE_REQUEST)
{
persistent_data::SessionStore::getInstance().removeSession(req.session);
}
}
-static const std::shared_ptr<crow::persistent_data::UserSession>
+static const std::shared_ptr<persistent_data::UserSession>
performBasicAuth(std::string_view auth_header)
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Basic authentication";
@@ -76,11 +75,11 @@
// This whole flow needs to be revisited anyway, as we can't be
// calling directly into pam for every request
return persistent_data::SessionStore::getInstance().generateUserSession(
- user, crow::persistent_data::PersistenceType::SINGLE_REQUEST,
+ user, persistent_data::PersistenceType::SINGLE_REQUEST,
isConfigureSelfOnly);
}
-static const std::shared_ptr<crow::persistent_data::UserSession>
+static const std::shared_ptr<persistent_data::UserSession>
performTokenAuth(std::string_view auth_header)
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Token authentication";
@@ -91,7 +90,7 @@
return session;
}
-static const std::shared_ptr<crow::persistent_data::UserSession>
+static const std::shared_ptr<persistent_data::UserSession>
performXtokenAuth(const crow::Request& req)
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] X-Auth-Token authentication";
@@ -106,7 +105,7 @@
return session;
}
-static const std::shared_ptr<crow::persistent_data::UserSession>
+static const std::shared_ptr<persistent_data::UserSession>
performCookieAuth(const crow::Request& req)
{
BMCWEB_LOG_DEBUG << "[AuthMiddleware] Cookie authentication";
@@ -131,7 +130,7 @@
std::string_view authKey =
cookieValue.substr(startIndex, endIndex - startIndex);
- const std::shared_ptr<crow::persistent_data::UserSession> session =
+ const std::shared_ptr<persistent_data::UserSession> session =
persistent_data::SessionStore::getInstance().loginSessionByToken(
authKey);
if (session == nullptr)
@@ -149,7 +148,7 @@
return nullptr;
}
- if (csrf.size() != crow::persistent_data::sessionTokenSize)
+ if (csrf.size() != persistent_data::sessionTokenSize)
{
return nullptr;
}
@@ -163,9 +162,9 @@
return session;
}
-static const std::shared_ptr<crow::persistent_data::UserSession>
+static const std::shared_ptr<persistent_data::UserSession>
performTLSAuth(const crow::Request& req, Response& res,
- std::weak_ptr<crow::persistent_data::UserSession> session)
+ std::weak_ptr<persistent_data::UserSession> session)
{
#ifdef BMCWEB_ENABLE_MUTUAL_TLS_AUTHENTICATION
if (auto sp = session.lock())
@@ -235,18 +234,16 @@
return false;
}
-static void
- authenticate(crow::Request& req, Response& res,
- std::weak_ptr<crow::persistent_data::UserSession> session)
+static void authenticate(crow::Request& req, Response& res,
+ std::weak_ptr<persistent_data::UserSession> session)
{
if (isOnWhitelist(req))
{
return;
}
- const crow::persistent_data::AuthConfigMethods& authMethodsConfig =
- crow::persistent_data::SessionStore::getInstance()
- .getAuthMethodsConfig();
+ const persistent_data::AuthConfigMethods& authMethodsConfig =
+ persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
if (req.session == nullptr && authMethodsConfig.tls)
{
diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp
new file mode 100644
index 0000000..6fa9c0a
--- /dev/null
+++ b/include/cors_preflight.hpp
@@ -0,0 +1,19 @@
+#pragma once
+
+#include <app.h>
+#include <http_request.h>
+#include <http_response.h>
+
+namespace cors_preflight
+{
+void requestRoutes(App& app)
+{
+ BMCWEB_ROUTE(app, "<str>")
+ .methods(boost::beast::http::verb::options)(
+ [](const crow::Request& req, crow::Response& res) {
+ // An empty body handler that simply returns the headers bmcweb
+ // uses This allows browsers to do their CORS preflight checks
+ res.end();
+ });
+}
+} // namespace cors_preflight
diff --git a/include/dbus_monitor.hpp b/include/dbus_monitor.hpp
index 9e22b9c..3630ecf 100644
--- a/include/dbus_monitor.hpp
+++ b/include/dbus_monitor.hpp
@@ -114,8 +114,7 @@
return 0;
}
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/subscribe")
.requires({"Login"})
diff --git a/include/ibm/management_console_rest.hpp b/include/ibm/management_console_rest.hpp
index 74cddc6..7cb744e 100644
--- a/include/ibm/management_console_rest.hpp
+++ b/include/ibm/management_console_rest.hpp
@@ -574,8 +574,7 @@
res.end();
}
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
// allowed only for admin
diff --git a/include/image_upload.hpp b/include/image_upload.hpp
index c1ec682..af7aeac 100644
--- a/include/image_upload.hpp
+++ b/include/image_upload.hpp
@@ -109,8 +109,7 @@
timeout.async_wait(timeoutHandler);
}
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/upload/image/<str>")
.requires({"ConfigureComponents", "ConfigureManager"})
diff --git a/include/kvm_websocket.hpp b/include/kvm_websocket.hpp
index 6db06fc..4b56f23 100644
--- a/include/kvm_websocket.hpp
+++ b/include/kvm_websocket.hpp
@@ -5,7 +5,6 @@
#include <async_resp.hpp>
#include <boost/container/flat_map.hpp>
-#include <webserver_common.hpp>
namespace crow
{
@@ -155,7 +154,7 @@
std::unique_ptr<KvmSession>>
sessions;
-inline void requestRoutes(CrowApp& app)
+inline void requestRoutes(App& app)
{
sessions.reserve(maxSessions);
diff --git a/include/login_routes.hpp b/include/login_routes.hpp
index 91acda7..bd335e3 100644
--- a/include/login_routes.hpp
+++ b/include/login_routes.hpp
@@ -7,7 +7,6 @@
#include <boost/container/flat_set.hpp>
#include <pam_authenticate.hpp>
-#include <persistent_data_middleware.hpp>
#include <webassets.hpp>
#include <random>
@@ -18,15 +17,8 @@
namespace login_routes
{
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
- static_assert(
- black_magic::Contains<persistent_data::Middleware,
- Middlewares...>::value,
- "token_authorization middleware must be enabled in app to use "
- "auth routes");
-
BMCWEB_ROUTE(app, "/login")
.methods(boost::beast::http::verb::post)([](const crow::Request& req,
crow::Response& res) {
@@ -149,7 +141,7 @@
persistent_data::SessionStore::getInstance()
.generateUserSession(
username,
- crow::persistent_data::PersistenceType::TIMEOUT,
+ persistent_data::PersistenceType::TIMEOUT,
isConfigureSelfOnly);
if (looksLikePhosphorRest)
diff --git a/include/nbd_proxy.hpp b/include/nbd_proxy.hpp
index 212c1db..462e4a7 100644
--- a/include/nbd_proxy.hpp
+++ b/include/nbd_proxy.hpp
@@ -23,7 +23,6 @@
#include <boost/container/flat_map.hpp>
#include <dbus_utility.hpp>
#include <privileges.hpp>
-#include <webserver_common.hpp>
#include <variant>
@@ -248,7 +247,7 @@
std::shared_ptr<NbdProxyServer>>
sessions;
-void requestRoutes(CrowApp& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/nbd/<str>")
.websocket()
diff --git a/include/obmc_console.hpp b/include/obmc_console.hpp
index 9e5e058..af02dde 100644
--- a/include/obmc_console.hpp
+++ b/include/obmc_console.hpp
@@ -6,7 +6,6 @@
#include <async_resp.hpp>
#include <boost/container/flat_map.hpp>
#include <boost/container/flat_set.hpp>
-#include <webserver_common.hpp>
namespace crow
{
@@ -102,7 +101,7 @@
doRead();
}
-void requestRoutes(CrowApp& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/console0")
.requires({"ConfigureComponents", "ConfigureManager"})
diff --git a/include/openbmc_dbus_rest.hpp b/include/openbmc_dbus_rest.hpp
index c41a568..26904d9 100644
--- a/include/openbmc_dbus_rest.hpp
+++ b/include/openbmc_dbus_rest.hpp
@@ -2072,8 +2072,7 @@
res.end();
}
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/bus/")
.requires({"Login"})
diff --git a/include/persistent_data_middleware.hpp b/include/persistent_data.hpp
similarity index 91%
rename from include/persistent_data_middleware.hpp
rename to include/persistent_data.hpp
index 819d69d..5d4661c 100644
--- a/include/persistent_data_middleware.hpp
+++ b/include/persistent_data.hpp
@@ -16,15 +16,10 @@
#include <fstream>
#include <random>
-namespace crow
-{
-
namespace persistent_data
{
-namespace fs = std::filesystem;
-
-class Middleware
+class ConfigFile
{
uint64_t jsonRevision = 1;
@@ -32,15 +27,12 @@
// todo(ed) should read this from a fixed location somewhere, not CWD
static constexpr const char* filename = "bmcweb_persistent_data.json";
- struct Context
- {};
-
- Middleware()
+ ConfigFile()
{
readData();
}
- ~Middleware()
+ ~ConfigFile()
{
if (persistent_data::SessionStore::getInstance().needsWrite())
{
@@ -48,12 +40,6 @@
}
}
- void beforeHandle(crow::Request& req, Response& res, Context& ctx)
- {}
-
- void afterHandle(Request& req, Response& res, Context& ctx)
- {}
-
// TODO(ed) this should really use protobuf, or some other serialization
// library, but adding another dependency is somewhat outside the scope of
// this application for the moment
@@ -161,9 +147,11 @@
std::ofstream persistentFile(filename);
// set the permission of the file to 640
- fs::perms permission = fs::perms::owner_read | fs::perms::owner_write |
- fs::perms::group_read;
- fs::permissions(filename, permission);
+ std::filesystem::perms permission =
+ std::filesystem::perms::owner_read |
+ std::filesystem::perms::owner_write |
+ std::filesystem::perms::group_read;
+ std::filesystem::permissions(filename, permission);
nlohmann::json data{
{"sessions", SessionStore::getInstance().authTokens},
@@ -176,5 +164,10 @@
std::string systemUuid{""};
};
+inline ConfigFile& getConfig()
+{
+ static ConfigFile f;
+ return f;
+}
+
} // namespace persistent_data
-} // namespace crow
diff --git a/include/redfish_v1.hpp b/include/redfish_v1.hpp
index dfdb900..429fb08 100644
--- a/include/redfish_v1.hpp
+++ b/include/redfish_v1.hpp
@@ -2,19 +2,11 @@
#include <app.h>
-#include <boost/algorithm/string.hpp>
-#include <dbus_singleton.hpp>
-#include <persistent_data_middleware.hpp>
-
-#include <fstream>
-#include <streambuf>
-#include <string>
namespace crow
{
namespace redfish
{
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/redfish/")
.methods(boost::beast::http::verb::get)(
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
new file mode 100644
index 0000000..cf845c1
--- /dev/null
+++ b/include/security_headers.hpp
@@ -0,0 +1,61 @@
+#pragma once
+
+#include <http_response.h>
+
+inline void addSecurityHeaders(crow::Response& res)
+{
+ /*
+ TODO(ed) these should really check content types. for example,
+ X-UA-Compatible header doesn't make sense when retrieving a JSON or
+ javascript file. It doesn't hurt anything, it's just ugly.
+ */
+ using bf = boost::beast::http::field;
+ res.addHeader(bf::strict_transport_security, "max-age=31536000; "
+ "includeSubdomains; "
+ "preload");
+ res.addHeader(bf::x_frame_options, "DENY");
+
+ res.addHeader(bf::pragma, "no-cache");
+ res.addHeader(bf::cache_control, "no-Store,no-Cache");
+
+ res.addHeader("X-XSS-Protection", "1; "
+ "mode=block");
+ res.addHeader("X-Content-Type-Options", "nosniff");
+
+#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src 'self' data:; "
+ "font-src 'self'; "
+ "style-src 'self'; "
+ "script-src 'self'; "
+ "connect-src 'self' wss:");
+ // The KVM currently needs to load images from base64 encoded
+ // strings. img-src 'self' data: is used to allow that.
+ // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
+
+#else
+ // If XSS is disabled, we need to allow loading from addresses other
+ // than self, as the BMC will be hosted elsewhere.
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src *; "
+ "font-src *; "
+ "style-src *; "
+ "script-src *; "
+ "connect-src *");
+
+ const std::string_view origin = req.getHeaderValue("Origin");
+ res.addHeader(bf::access_control_allow_origin, origin);
+ res.addHeader(bf::access_control_allow_methods, "GET, "
+ "POST, "
+ "PUT, "
+ "PATCH, "
+ "DELETE");
+ res.addHeader(bf::access_control_allow_credentials, "true");
+ res.addHeader(bf::access_control_allow_headers, "Origin, "
+ "Content-Type, "
+ "Accept, "
+ "Cookie, "
+ "X-XSRF-TOKEN");
+
+#endif
+}
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
deleted file mode 100644
index d3c3335..0000000
--- a/include/security_headers_middleware.hpp
+++ /dev/null
@@ -1,81 +0,0 @@
-#pragma once
-
-#include <http_request.h>
-#include <http_response.h>
-
-namespace crow
-{
-struct SecurityHeadersMiddleware
-{
- struct Context
- {};
-
- void beforeHandle(crow::Request& req, Response& res, Context& ctx)
- {
-#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
- if (boost::beast::http::verb::options == req.method())
- {
- res.end();
- }
-#endif
- }
-
- void afterHandle(Request& req, Response& res, Context& ctx)
- {
- /*
- TODO(ed) these should really check content types. for example,
- X-UA-Compatible header doesn't make sense when retrieving a JSON or
- javascript file. It doesn't hurt anything, it's just ugly.
- */
- using bf = boost::beast::http::field;
- res.addHeader(bf::strict_transport_security, "max-age=31536000; "
- "includeSubdomains; "
- "preload");
- res.addHeader(bf::x_frame_options, "DENY");
-
- res.addHeader(bf::pragma, "no-cache");
- res.addHeader(bf::cache_control, "no-Store,no-Cache");
-
- res.addHeader("X-XSS-Protection", "1; "
- "mode=block");
- res.addHeader("X-Content-Type-Options", "nosniff");
-
-#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src 'self' data:; "
- "font-src 'self'; "
- "style-src 'self'; "
- "script-src 'self'; "
- "connect-src 'self' wss:");
- // The KVM currently needs to load images from base64 encoded
- // strings. img-src 'self' data: is used to allow that.
- // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
-
-#else
- // If XSS is disabled, we need to allow loading from addresses other
- // than self, as the BMC will be hosted elsewhere.
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src *; "
- "font-src *; "
- "style-src *; "
- "script-src *; "
- "connect-src *");
-
- const std::string_view origin = req.getHeaderValue("Origin");
- res.addHeader(bf::access_control_allow_origin, origin);
- res.addHeader(bf::access_control_allow_methods, "GET, "
- "POST, "
- "PUT, "
- "PATCH, "
- "DELETE");
- res.addHeader(bf::access_control_allow_credentials, "true");
- res.addHeader(bf::access_control_allow_headers, "Origin, "
- "Content-Type, "
- "Accept, "
- "Cookie, "
- "X-XSRF-TOKEN");
-
-#endif
- }
-};
-} // namespace crow
diff --git a/include/sessions.hpp b/include/sessions.hpp
index 217ce95..3a787fc 100644
--- a/include/sessions.hpp
+++ b/include/sessions.hpp
@@ -20,9 +20,6 @@
#include <ibm/locks.hpp>
#endif
-namespace crow
-{
-
namespace persistent_data
{
@@ -364,10 +361,6 @@
return std::chrono::seconds(timeoutInMinutes).count();
};
- // Persistent data middleware needs to be able to serialize our authTokens
- // structure, which is private
- friend Middleware;
-
static SessionStore& getInstance()
{
static SessionStore sessionStore;
@@ -377,6 +370,16 @@
SessionStore(const SessionStore&) = delete;
SessionStore& operator=(const SessionStore&) = delete;
+ std::unordered_map<std::string, std::shared_ptr<UserSession>,
+ std::hash<std::string>,
+ crow::utility::ConstantTimeCompare>
+ authTokens;
+
+ std::chrono::time_point<std::chrono::steady_clock> lastTimeoutUpdate;
+ bool needWrite{false};
+ std::chrono::minutes timeoutInMinutes;
+ AuthConfigMethods authMethodsConfig;
+
private:
SessionStore() : timeoutInMinutes(60)
{}
@@ -408,32 +411,20 @@
}
}
}
-
- std::chrono::time_point<std::chrono::steady_clock> lastTimeoutUpdate;
- std::unordered_map<std::string, std::shared_ptr<UserSession>,
- std::hash<std::string>,
- crow::utility::ConstantTimeCompare>
- authTokens;
- bool needWrite{false};
- std::chrono::minutes timeoutInMinutes;
- AuthConfigMethods authMethodsConfig;
};
} // namespace persistent_data
-} // namespace crow
// to_json(...) definition for objects of UserSession type
namespace nlohmann
{
template <>
-struct adl_serializer<std::shared_ptr<crow::persistent_data::UserSession>>
+struct adl_serializer<std::shared_ptr<persistent_data::UserSession>>
{
- static void
- to_json(nlohmann::json& j,
- const std::shared_ptr<crow::persistent_data::UserSession>& p)
+ static void to_json(nlohmann::json& j,
+ const std::shared_ptr<persistent_data::UserSession>& p)
{
- if (p->persistence !=
- crow::persistent_data::PersistenceType::SINGLE_REQUEST)
+ if (p->persistence != persistent_data::PersistenceType::SINGLE_REQUEST)
{
#ifdef BMCWEB_ENABLE_IBM_MANAGEMENT_CONSOLE
j = nlohmann::json{
@@ -452,10 +443,10 @@
};
template <>
-struct adl_serializer<crow::persistent_data::AuthConfigMethods>
+struct adl_serializer<persistent_data::AuthConfigMethods>
{
static void to_json(nlohmann::json& j,
- const crow::persistent_data::AuthConfigMethods& c)
+ const persistent_data::AuthConfigMethods& c)
{
j = nlohmann::json{{"XToken", c.xtoken},
{"Cookie", c.cookie},
diff --git a/include/vm_websocket.hpp b/include/vm_websocket.hpp
index dc352e2..33fadd0 100644
--- a/include/vm_websocket.hpp
+++ b/include/vm_websocket.hpp
@@ -5,7 +5,6 @@
#include <boost/beast/core/flat_static_buffer.hpp>
#include <boost/process.hpp>
-#include <webserver_common.hpp>
#include <csignal>
@@ -155,8 +154,7 @@
static std::shared_ptr<Handler> handler;
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
BMCWEB_ROUTE(app, "/vm/0/0")
.requires({"ConfigureComponents", "ConfigureManager"})
diff --git a/include/webassets.hpp b/include/webassets.hpp
index bb9ab7f..54d3c98 100644
--- a/include/webassets.hpp
+++ b/include/webassets.hpp
@@ -27,8 +27,7 @@
}
};
-template <typename... Middlewares>
-void requestRoutes(Crow<Middlewares...>& app)
+void requestRoutes(App& app)
{
const static boost::container::flat_map<const char*, const char*, CmpStr>
contentTypes{
diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp
deleted file mode 100644
index d8876d4..0000000
--- a/include/webserver_common.hpp
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
-// Copyright (c) 2018 Intel Corporation
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-*/
-#pragma once
-
-#include "persistent_data_middleware.hpp"
-#include "security_headers_middleware.hpp"
-
-using CrowApp = crow::App<crow::SecurityHeadersMiddleware,
- crow::persistent_data::Middleware>;